1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Block DHCP over OpenVPN bridge

Discussion in 'Tomato Firmware' started by lancethepants, Feb 1, 2012.

  1. lancethepants

    lancethepants Network Guru Member

    These scripts are meant to be placed in Administration -> Scripts -> Firewall.

    First, your firmware version must support ebtables. You can check by typing 'ebtables' in Tools -> System -> Command, then execute. If you get a bunch of command options, you're good. If you get '....ebtables: not found ', then this will not work for you. I suggest a firmware with kernel 2.6, if your router supports it, and if this is an important feature for you.
    Secondly, you need to change 'X' in the following scripts to match the tap interface that is in use. In TomatoUSB, this generally means the first server will be '21' and first client will be '11'. These numbers really could be anything, but those are the ones the developer chose. These scripts will block both inbound and outbound DHCP broadcasts, so it's only necessary to place them at one end of the tunnel, though it's perfectly fine to place them at both.

    ebtables -A INPUT --in-interface tapX --protocol ipv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
    ebtables -A INPUT --in-interface tapX --protocol ipv4 --ip-protocol udp --ip-source-port 67:68 -j DROP
    ebtables -A FORWARD --out-interface tapX --protocol ipv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
    ebtables -A FORWARD --out-interface tapX --protocol ipv4 --ip-protocol udp --ip-source-port 67:68 -j DROP

    For info on blocking UPnP and NAT-PMP
    http://linksysinfo.org/index.php?threads/block-upnp-over-openvpn-bridge-tap11.36805/#post-178577
     
    alf5683 and alfred like this.
  2. alfred

    alfred Networkin' Nut Member

    I will try to do my best to enjoy this experiment. :D
    I believe there are many people do have the same request like me.

    with the #1 four FORWARD rules (before the editing) only installed in server, the dhcp messages flow:
    server -- blocked --> client
    server <-- not blocked -- client.
    not works.

    After the editing: now it works! both dhcp directions are blocked.
    I would like to keep it on running and watching.

    Thank you very much! nice work! :cool:
     
  3. kthaddock

    kthaddock Network Guru Member

    What did you change ? I din't follow whole thread !
    This ?
    kthaddock
     
  4. alfred

    alfred Networkin' Nut Member

    Forget the thing that was changed, it was invalid, not worked, and has been corrected.
    Just follow the post #1 in this thread. It works.
     
  5. kthaddock

    kthaddock Network Guru Member

    Thanks!
    kthaddock
     
  6. ep1centre

    ep1centre Networkin' Nut Member

    I'm interested in this feature through whenever i paste the above (post 1) into my custom configuration and press "save" the server service just stops and wont start again untill i delete that custom configuration again.

    Was this intended for the client side? Or maybe i'm doing something else wrong... Any ideas?
     
  7. lancethepants

    lancethepants Network Guru Member

    I've edited the first post to clarify on their usage.
     
  8. alfred

    alfred Networkin' Nut Member

    Now I got the same issue while ipv6 is enabled, and the syslog both OpenVPN server/client are flooded with the advertisement warning lines:

    So please lancethepants, if you can help me, thanks.
     
  9. lancethepants

    lancethepants Network Guru Member

    For my purposes I haven't wanted any IPv6 to go down the tunnel, so I've completely blocked it with following rules..

    ebtables -A INPUT --in-interface tapX --protocol ipv6 -j DROP
    ebtables -A FORWARD --out-interface tapX --protocol ipv6 -j DROP
    ebtables -A OUTPUT --out-interface tapX --protocol ipv6 -j DROP

    If you wanted to get more specific you could add '--ip6-protocol' and '--ip6-source-port' or '--ip6-destination-port' and filter out exactly what you want.
     
    alfred likes this.
  10. alfred

    alfred Networkin' Nut Member

    Appreciate very much! completely blocked ipv6 is reasonable and acceptable.

    But it blocks client->server only while place this script at the VPN-client; opposite direction is not blocked.
    So I add another "FORWARD --in-interface" line and it works.

    ebtables -A INPUT --in-interface tapX --protocol ipv6 -j DROP
    ebtables -A FORWARD --out-interface tapX --protocol ipv6 -j DROP
    ebtables -A FORWARD --in-interface tapX --protocol ipv6 -j DROP
    ebtables -A OUTPUT --out-interface tapX --protocol ipv6 -j DROP
     

Share This Page